cbcvebase.
CVE-2024-7340
published 2024-07-31

CVE-2024-7340: The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.97%
91.1th percentile
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.

Affected

1 ranges
VendorProductVersion rangeFixed in
weaveweave>= 0 < 0.50.80.50.8

Detection & IOCsextracted from sources · hover to see the quote

url/__weave/file/tmp/weave/fs/../../../etc/passwd
path/__weave/file/tmp/weave/fs/
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS W&B Weave Server Arbitrary File Leak (CVE-2024-7340)"; flow:established,to_server; http.request_line; content:"GET /__weave/file/tmp/weave/fs/"; fast_pattern; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-7340.yaml; reference:cve,2024-7340; classtype:web-application-attack; sid:2056182; rev:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_25, cve CVE_2024_7340, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_09_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • HTTP GET requests to the path `/__weave/file/tmp/weave/fs/` followed by path traversal sequences (`../` or URL-encoded equivalents) are indicative of exploitation attempts.
  • Successful exploitation returns HTTP 200 with Content-Type `application/octet-stream` and a `filename=passwd` header, alongside `/etc/passwd` content matching `root:.*:0:0:` in the response body.
  • Detect path traversal via both literal dot-slash sequences and URL-encoded variants: `%2e` for `.`, `%2f` or `%5c` for `/` or `\`, appearing two or more times consecutively in the request URI after `/__weave/file/tmp/weave/fs/`.
  • The vulnerability is exploitable by authenticated low-privileged users; monitor for low-privilege accounts making requests to the `/__weave/file/` API endpoint.
  • ·The Snort/Suricata rule (sid:2056182) requires TLS decryption (`tls_state TLSDecrypt`, `deployment SSLDecrypt`) to detect exploitation over HTTPS; without SSL inspection, encrypted traffic will not be inspected.
  • ·The nuclei template targets a single request and matches on a specific traversal payload (`../../../etc/passwd`); real-world attackers may use different traversal depths or target other sensitive files beyond `/etc/passwd`.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.